Symantec closes vulnerability for malicious rar containers

Symantec has patched two vulnerabilities that allowed attackers to perform a denial of service attack through a malicious rar container. The vulnerabilities were present in many of the company’s security products, including Norton software.

Symantec writes that the vulnerabilities, with attributes cve-2016-5310 and cve-2016-5309, pose a moderate security risk. This stems from the fact that an attacker could only perform a dos attack, causing the affected Symantec software to stop working. However, Google researcher Tavis Ormandy, who discovered the leaks, leaves via Twitter know that he disagrees with Symantec’s assessment. According to him, the vulnerabilities allow remote code execution, which should be considered serious.

Ormandy states that Symantec has included a very old version of the tool ‘unrarsrc’ in its products and has failed to update the software. In a now publicized post on the Chromium bug tracker, Ormandy writes that the outdated version of the file extraction software contains many different public vulnerabilities. On the same page, the security researcher also makes two proof of concepts available in the form of two zip files.

By June, Ormandy had found other serious leaks in Symantec products. At the time, he described that the vulnerabilities can be used by, for example, sending a victim a malicious file. Since the Symantec software automatically scans email attachments, infection could occur without victim interaction. Symantec states in its message which software products are updated via Live Update and which require a manual patch.